12/2: The Dark Web Baits Me

I spent the week in Florida with my family, and I [security insertion: don’t reveal publicly where your family lives; lock your geographical references down!] found myself with a teachable moment.

On Friday, at around 10:21 in the morning, I received the following text message on my regular front-line mobile:

If the Annenberg Digital Security Initiative has one main rule, one practical mental habit that is valuable at all times, it’s simply this: if you don’t recognize the number that is texting you, or the e-mail address, or the name, of the person who is writing to you, then, for the sake of all things holy, DO NOT RESPOND in any way. Take a mindful pause.

Our approach recognizes that our click-whrrr response to incoming e-mail in our personal lives is a hard addiction to break, and there is no automatic Disulfiram filter that helps us. So we start by training students to take mindful pauses when they’re using any digital communications tool for their work, and then, little by little, we seek to instantiate a security rhythm into their daily lives. We know there is no real distinction between personal and professional, and if we had more of their attention, we would START with their personal lives. I digress.

Back to this message. First, I noticed that it was an SMS message from an area code I did not recognize.

Clicking on the URL was out of the question, but I wanted to figure out who or what had sent this to me, and then figure out what they wanted from me.

I went to DuckDuckGo, and I found out that the number is registered to an unknown entity in Burksville, Kentucky.

Funny place for a node on the Dark Web to live.

The URL — oneond [dot] site — looked suspiciously to me like it was an access point to an Onion gateway — that is — a part of the web that isn’t regularly indexed by search engines.

Since I didn’t have a spare and perishable device handy, I wasn’t able to test this this assumption, but some web sleuthing pointed me to a grab bag of deep links that attached themselves to the Dark Web.

Aside from the occasional burner phone and in-class demonstrations, I don’t access the Dark Web — and certainly — I don’t use Tor or anything else that touches it on my personal laptop — and not on my phone.

All of this is to say: don’t answer when someone you don’t know texts you, especially using the SMS protocol.

At best, clicking the link will confirm to the person or machine on the other end of the communication that the device they intended to send something to is the device they reached.

At worst, you’re letting some entity install a payload onto your phone that isn’t going to service the best needs of your mindfully secure digital life.